No one wants to be associated with a data breach, least of all an acquiring bank or payment processor. Still, the financial industry is more often finding itself a target. For instance, Sophos’ State of Ransomware in Financial Services 2023 found that the rate of ransomware in the financial sector was 64%, rising from 55% last year. Furthermore, the rate has almost doubled since 2021. Sophos research also confirmed that financial institutions are fighting back with payment security solutions, making substantial investments in endpoint protection, zero-trust solutions, 24/7 threat detection, and other technologies. Still, threat actors continue to find their way in with phishing and email schemes and exploit vulnerabilities.
Where Threat Actors Find Vulnerabilities
Although acquirers work hard to build iron-clad cybersecurity in their IT ecosystem, they need to do more. It’s also critical to consider their partners’ payment technology. Attackers have been successful at gaining entrance to systems and stealing data by exploiting vulnerabilities in payment devices. The Register reported in 2022 that threat actors used two types of point of sale malware to infect payment terminals and steal data from more than 167,000 credit card accounts. A few years earlier, hackers deployed malware on a convenience store’s payment terminals on the counters and fuel pumps to steal credit card data, affecting about 34 million consumer accounts.
Attacks of this nature underscore the importance of partnering with payment technology companies that take a security-first approach to device design and platform development. Acquirers who partner with companies that market devices with vulnerabilities can invite cyberattacks and data breaches. Then, if they occur, those devices listed on your website will be a liability to your business’s reputation.
How to Evaluate a Partner’s Payment Technology Security Posture
Working with a payment technology partner that’s Payment Card Industry (PCI-certified) is a given. The PCI Data Security Standard (PCI DSS) includes technical requirements for devices, infrastructure, and systems involved in processing payment transactions. You must begin vetting a partner by ensuring the company and its specific products are included on PCI’s list of approved PIN Transaction Security (PTS) devices.
However, acquirers should do more to ensure the payment devices they’re enabling merchants to use provide the highest degree of security. Acquirers must investigate the payment technology company’s approach and get the answers they need to ensure their partners have an effective strategy.
Ingenico, for example, takes a balanced approach to security. Our strategy is to limit the footprint where data exists within a network, keeping the attack surface small. Then, we focus on creating multiple layers to secure cardholder data, including point-to-point encryption (P2PE), which protects data in transit from the payment terminal to your system and to card brands. It replaces human-readable card data with a cryptograph, which can only be decrypted with a key. Tokenization also helps to protect cardholder data. It replaces readable cardholder information with a randomly generated code that merchants can use to “remember” customers' account information for their convenience when making future purchases. But it doesn’t put data at risk if a cybercriminal gains access to a merchant’s IT environment. A layered approach helps to protect data because if threat actors gain access to a system, they won’t find anything monetizable to steal or hold for ransom.
Another way to ensure your payment technology partner has a good track record with security is to do your due diligence and research the company. Search the internet, read the headlines, and familiarize yourself with past data breaches and investigations. If you find red flags, dig deeper to make the best decisions for the merchants you serve and for your business.
An effectively marketed payment technology company is no guarantee that it’s a partner that will help you keep cardholder data secure. Approach partnerships circumspectly.
To learn more about Ingenico’s approach to payment security, our balanced approach to keeping cardholder data safe, and our security-first strategy for product development, contact us.